I have edited session.cookie_domain = ".mysite.in" in php.ini to share one single session for same user across all the sub domains of my site.
But it is not working weird. Now if I open a session at "www.mysite.in", it gets shared with "mysite.in"(no www), but not with "oth.mysite.in".
PS : The session did not get shared to "mysite.in" before. So edit definitely has some effect.
Related
I want to make a session on a subdomain, and then access it from my main domain. I have read many threads regarding the same problem but none of the answers work for me.
I have a VPS from Dreamhost, and I have sat the following line into phprc on both domains (phprc is added to php.ini, dreamhost way of editing php.ini) session.cookie_domain = ".MAINDOMAIN.com" where .MAINDOMAIN.com is referring to my domain name. This was the working solution here: Sharing SESSION Variables Between Multiple Subdomains
I have then made a php file I call test.php on both login.DOMAIN.com and DOMAIN.com
On login.DOMAIN.com/test.php I have the following code:
session_start();
$_SESSION['test'] = "Works";
print_r($_SESSION);
The output when I navigate to the file:
Array ( [test] => Works )
After visiting that page I Then go to DOMAIN.com/test.php where the code is:
session_start();
print_r($_SESSION);
And the output is:
Array ( )
I have seen other threads like this: Allow PHP sessions to carry over to subdomains with 4 different options to set the php.ini line (Directly in php.ini, in .htaccess, in the script, and finally php-fpm pool configuration) and I have tried them all with the exception of the last one with php-fpm pool configuration
I have also tried to set this line on top of my php files, before session_start:
session_set_cookie_params(0,"/",".MAINDOMAIN.com",FALSE,FALSE);
And this on top of that:
session_name('mysession');
But nothing works
I have also checked with HTTP Header Live for FF which domain the cookie is set for as the answer here: Why can't I pass user sessions between subdomains? and the string of Set-Cookie is:
Set-Cookie: PHPSESSID=9Q%2Cfrhr747fferf4700; path=/
There is no mention of what domain? What am I doing wrong? Any ideas?
Maybe this is more of a work around but...
if you're not passing any private information you could pass the information from the sub domain to domain with $_GET's then use a page (getsession.php) on the domain to turn the $_GET's to $_SESSION's and redirect back to index of the domain to remove the $_GET's from url.
It is a limitation on Dremhost managed VPS, that don't allow sharing php sessions between virtual hosts (Subdomains). I have switched to another provider and everything works
I have a problem sharing the session between two subdomains, and I've read a lot of threads here and other places.
I have www.xx.com and sub.xx.com and I've set
session_name("PHPSESSXX");
session_set_cookie_params(0, '/', '.xx.com');
and the session.save_path is the same on both domains.
I get a cookie called PHPSESSXX on both domains, and it has the same value.
When I log on to www.xx.com I get a session with some details in it, and it stays that way until I go to sub.xx.com. Then the session on sub.xx.com is empty, and if I refresh www.xx.com, the session there is gone as well. So it does something, but it seems to be overwriting the session data each time I visit a different subdomain.
Any ideas anyone? - Can i debug this somehow?
Btw: I'm using ssl on both domains.
cheers
PHP session ids are saved in Cookies. To make a cookie available in all the sub-domains you need to assign it to the root domain. Then all the sub-domains will get the session id from cookie and PHP can find the session using passed session id.
As it turns out, You just need to set the session.cookie_domain to the root domain in php.ini file
session.cookie_domain = ".example.com"
Also check manual for different approaches used to set an ini entry.
Your question is answered here
Sharing SESSION Variables Between Multiple Subdomains
My solution was to set a flag in .htaccess like this:
php_flag "suhosin.session.cryptdocroot" 0
And it now works perfectly ;o)
The problem was that Suhosin was installed on the system, and the ini variable
suhosin.session.cryptdocroot = On
encrypted the session files in such a way, that when a different subdomain tried to change the session, it deleted everything for security reasons.
It didn't work for me to set the variable to Off or [nothing] in the ini-file, though maybe I didn't find the right file.
I also tried setting it in PHP without any luck. Like this:
ini_set('suhosin.session.cryptdocroot', 0)
cheers
We are having some issues with PHP Session Cookies not allowing us to log into our *SugarCRM** application which is open source PHP application.
The problem is we have the same application installed on 2 sub-domains like below...
Main site
www.domain.com
Dev site
dev.www.domain.com
Now after logging into one, it will not allow you to login to the other!
Please view the image below to see the Cookie problem...
In the image above you can see that there is 2 PHPSESSID Cookies competing for the Session!
If I now delete one of them, it allows me to login as normal without an issue!
Because this is SugarCRM, I am hoping I can resolve this issue without making really any core file modifications to the application. But if I have to, then we will.
So does anyone have any ideas on a good solution?
Right now my idea for a "Nasty Dirty Hack" which I really do NOT want to have to do. It is to make a button on the login form, this button will use JavaScript to clear/delete the PHPSESSID Cookies but again I would really like to find a proper solution.
If anyone has any ideas, please share? Thank you
UPDATE
Thanks for the answers so far. Please do take into acocunt that this is not a simple PHP application that I built where I can easily do code changes. THis is SugarCRM which is a massive large application with thousands of files
Try to setup in .htaccess parameter on subdomain
php_value session.cookie_domain .domain.com
or use in php code, but before "session_start()"
ini_set('session.cookie_domain', '.domain.com' );
Use
session_set_cookie_params
to set the session from the subdomain, on the principal domain.
Try to use function (http://php.net/manual/en/function.session-set-cookie-params.php):
session_set_cookie_params ( $lifetime, $path, $domain, $secure, $httponly)
And set one $domain = '.domain.com'
Or if you setting session cookie manually by setcookie, then setting the same domain too
Its actually not the domain you need to change, but the "session name" (name of the cookie parameter). Both apps seem to be using the default "phpsessid" and need to be made to differ, otherwise the apps will see eachother sessions, see the wrong session, or try to unserialize classes only defined in the other project.
You need to change the cookie parameter its storing the session ID in. It can be controlled from an environment variable (php.ini, .htaccess, etc.): http://us1.php.net/manual/en/session.configuration.php#ini.session.name
This way you can have multiple PHP sessions on the same domain. For example if you had example.com/sugarcrm and example.com/foo You could have sugarCRM store it's session ID in a cookie param called "sugarsession" (instead of the default phpsessid)
It has been a while since I had this issue but I think all you have to do is write each instances session file to a different directory by editing the config.php in each SugarCRM's file system and change the line
'session_dir' => '',
to point at a different directory.
PHP sessions work as expected in root directory, and one directory deep. Directories that exist 2 deep end up with a new session id, and all session varaibles are lost.
I include a file config.inc.php (absolute path) into all pages which calls session_start() and initializes the SESSION variables. I found a PHP directive setting that seems to mention subdirectories, but it looks like it is referring to subdirectories of temporarily stored session files.
I've double checked using the HTTPFox firefox plugin, as soon as I visit any page 2 levels deep, the session is gone, and and a new session ID is issued. Very Strange...
Ah, it looks like I was writing my URLS to those particular directories using localhost instead of 127.0.0.1... The different domain caused the browser to think it was a different website, I guess. Changing this solved my problem.
I have a problem where i am losing the PHP session between 2 pages.
The session_start() is included in a file called session-inc.php into every page requiring a session to be set. This works for all pages on the site except one particular page, member-profile.php. When this page is visited a new session with a different id (same session name) is set and used instead.
A few more details:
Session name is set manually
All pages are on the same server under the same domain name
If i put an additional session_start() above the include('session-inc.php') in the member-profile.php file, the session is carried over correctly
I have tried setting the session_cookie_domain and session.session_name in the .htaccess, this worked for this domain but it stopped the session being passed over to out payment domain
We are running apache 2.2.6 with php 5.2.5
Putting the session_start() above the include('session-inc.php') in the member-profile.php file is the quick and dirty fix for this problem, but i am wondering if anybody know why this would be happening.
Cheers
Will
According to PHP documentation, session_start must be called before any output is sent back to the browser-- could this page have a rogue CR/LF, Unicode byte-order mark or similar that is causing output before you include('session-inc.php')?
While migrating a legacy site from PHP4 to PHP5 I noticed a php.ini configuration setting that causes php to auto-start the session upon every request. It's an alternative to placing session_start() onto every page...
There are multiple ways to enable this setting:
Put the following line into php.ini:
session.auto_start = on
or put this into your apache virtual-site config or .htaccess file:
<IfModule mod_php5.c>
php_flag session.auto_start on
</IfModule>
and it should make $_SESSION changes available across all pages
I have just encountered this problem. Interestingly, browsing via http://127.0.0.1 instead of http://localhost helped me.
I just spent all day diagnosing this issue in my Ionic3 - to - PHP project. TL; DR - make sure your client is actually sending session credentials.
In the interest of helping anyone who makes this mistake, I will share how I found the problem.
I used these tools to diagnose the session on both the client and server:
1) Add a test file with phpinfo() to the server to review PHP session options.
2) Review the PHP code to make sure that no output, intentional or un-intentional occurs before the session_start() line. Check the status bar of Visual Studio Code to make sure the Byte Order Mark (BOM) is absent from the PHP files.
3) Review server PHP logs (in /var/log/nginx/error.log for me). Add error_log() lines to the php file to dump the session_id() or $_SESSION array.
4) Use tcpdump -An 'port 80 or port 443' to view the actual HTTP requests and replies. (That's where I discovered the missing cookies).
For an Ionic3 data provider the correct syntax for the client is:
var obsHttp = this.http.post(url, body,
{ headers: new HttpHeaders({
'Content-Type':'application/x-www-form-urlencoded'
}),withCredentials: true }).timeout(this.timeoutTime);
Notice the withCrentials:true
One needs to call subscribe on the obsHttp() observable to send the request.
Found the issue
There was a byte order mark at the beginning of the main includes file of the second domain. as stated by ken, cant have any output before a session start, it was not setting the session correctly.
SOLUTION:
session.auto_start = on
in file: php.ini
It solved the issue of re-generating session id on page reload (page refresh / change pages).
The issue appeared after the update of CPanel (and included Multi PHP), even the php version remained the same.
The PHP.ini file didn't had that variable at all.
Went in Cpanel -> MultiPHP INI Editor -> Editor Mode (not Basic, in basic you do not have this setting) and added the line. Press Save.
TIPS / WHEN TO USE THIS SOLUTION:
To determine if that is the problem, put a line at the very beginning and at the very end of your index.php file to check the session id. Use function:
session_id();
Navigate through pages / reload the page. If the session_id value changes the problem is not in your code and this solution should solve your problem (the session is lost outside of your code).
I also tried to verify the availability of saving session on the web server (session.save_path) but, even if it was a lead, it was not the case.
I imagine this is a "feature" of Cpanel with MULTIPHP UPDATE that will happen quite often.
I had this problem, and the cause was that PHP was ignoring all cookies after the first 100. (I asked this question to try to find out why, but so far nobody has figured it out). The browser was sending the PHPSESSID*, but since it was the 110th cookie, PHP was ignoring it.
To figure out if this problem is what's affecting you, use your browser's dev tools to look at the cookies that the browser is sending with the request, and compare that list to the $_COOKIE array in PHP. They should be the same. But if the browser is sending a PHPSESSID*, and there's no PHPSESSID* in $_COOKIE, then that would explain why sessions aren't working.
I solved the problem by not having my site use so many cookies, which is good practice anyway.
*PHPSESSID is the default session name. Your site may use a different name.
To solve the session_id change after each request, you change the parameter session.auto_start and session.cookie_httponly into the php configuration file.
to find the used php configuration file
php -i | grep "php.ini"
then you open it, and try to find the parameter session.auto_start . you set
session.auto_start = 1
session.cookie_httponly = 0
finally you restart your httpd/apache service.
Found the issue
In my case it was due to Varnish Settings please check your varnish settings. PHPSESSID you can exclude the cookie from the Varnish Settings.
I'm not an expert, but found a solution after careful investigation of domain name in the cookies info of two webpages opened on Firefox. (Right click on the page, select inspection and the storage). checked domain names and found that one with www.example.com and the other without www (example.com). changed all the page links to same format and the problem solved for my case.
Found the problem was a byte order mark (BOM) being ouputted at the start of the file. Got rid of it and it sorted out the session problem.